Testing decoders and rules

The tool ossec-logtest allow us to test how an event is decoded and if an alert is generated.

Run the tool /var/ossec/bin/ossec-logtest and paste the following log:

Mar  8 22:39:13 ip-10-0-0-10 sshd[2742]: Accepted publickey for root from 73.189.131.56 port 57516
$ /var/ossec/bin/ossec-logtest

Mar  8 22:39:13 ip-10-0-0-10 sshd[2742]: Accepted publickey for root from 73.189.131.56 port 57516

**Phase 1: Completed pre-decoding.
       full event: 'Mar  8 22:39:13 ip-10-0-0-10 sshd[2742]: Accepted publickey for root from 73.189.131.56 port 57516'
       hostname: 'ip-10-0-0-10'
       program_name: 'sshd'
       log: 'Accepted publickey for root from 73.189.131.56 port 57516'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       dstuser: 'root'
       srcip: '73.189.131.56'

**Phase 3: Completed filtering (rules).
       Rule id: '5715'
       Level: '3'
       Description: 'sshd: authentication success.'
**Alert to be generated.

Warning

The decoder name showed in Phase 2 will be the name of the parent decoder.

In addition, you can use the option “-v” to show more information about the rules:

$ /var/ossec/bin/ossec-logtest -v

Mar  8 22:39:13 ip-10-0-0-10 sshd[2742]: Accepted publickey for root from 73.189.131.56 port 57516


**Phase 1: Completed pre-decoding.
       full event: 'Mar  8 22:39:13 ip-10-0-0-10 sshd[2742]: Accepted publickey for root from 73.189.131.56 port 57516'
       hostname: 'ip-10-0-0-10'
       program_name: 'sshd'
       log: 'Accepted publickey for root from 73.189.131.56 port 57516'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       dstuser: 'root'
       srcip: '73.189.131.56'

**Rule debugging:
    Trying rule: 1 - Generic template for all syslog rules.
       *Rule 1 matched.
       *Trying child rules.
    Trying rule: 600 - Active Response Messages Grouped
    Trying rule: 2100 - NFS rules grouped.
    Trying rule: 2507 - OpenLDAP group.
    Trying rule: 2550 - rshd messages grouped.
    Trying rule: 2701 - Ignoring procmail messages.
    Trying rule: 2800 - Pre-match rule for smartd.
    Trying rule: 5100 - Pre-match rule for kernel messages
    Trying rule: 5200 - Ignoring hpiod for producing useless logs.
    Trying rule: 2830 - Crontab rule group.
    Trying rule: 5300 - Initial grouping for su messages.
    Trying rule: 5905 - useradd failed.
    Trying rule: 5400 - Initial group for sudo messages
    Trying rule: 9100 - PPTPD messages grouped
    Trying rule: 9200 - Squid syslog messages grouped
    Trying rule: 2900 - Dpkg (Debian Package) log.
    Trying rule: 2930 - Yum logs.
    Trying rule: 2931 - Yum logs.
    Trying rule: 2940 - NetworkManager grouping.
    Trying rule: 2943 - nouveau driver grouping
    Trying rule: 3100 - Grouping of the sendmail rules.
    Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
    Trying rule: 3300 - Grouping of the postfix reject rules.
    Trying rule: 3320 - Grouping of the postfix rules.
    Trying rule: 3390 - Grouping of the clamsmtpd rules.
    Trying rule: 3395 - Grouping of the postfix warning rules.
    Trying rule: 3500 - Grouping for the spamd rules
    Trying rule: 3600 - Grouping of the imapd rules.
    Trying rule: 3700 - Grouping of mailscanner rules.
    Trying rule: 3800 - Grouping of Exchange rules.
    Trying rule: 3900 - Grouping for the courier rules.
    Trying rule: 4300 - Grouping of PIX rules
    Trying rule: 4500 - Grouping for the Netscreen Firewall rules
    Trying rule: 4700 - Grouping of Cisco IOS rules.
    Trying rule: 4800 - SonicWall messages grouped.
    Trying rule: 5500 - Grouping of the pam_unix rules.
    Trying rule: 5556 - unix_chkpwd grouping.
    Trying rule: 5600 - Grouping for the telnetd rules
    Trying rule: 5700 - SSHD messages grouped.
       *Rule 5700 matched.
       *Trying child rules.
    Trying rule: 5709 - sshd: Useless SSHD message without an user/ip and context.
    Trying rule: 5711 - sshd: Useless/Duplicated SSHD message without a user/ip.
    Trying rule: 5721 - sshd: System disconnected from sshd.
    Trying rule: 5722 - sshd: ssh connection closed.
    Trying rule: 5723 - sshd: key error.
    Trying rule: 5724 - sshd: key error.
    Trying rule: 5725 - sshd: Host ungracefully disconnected.
    Trying rule: 5727 - sshd: Attempt to start sshd when something already bound to the port.
    Trying rule: 5729 - sshd: Debug message.
    Trying rule: 5732 - sshd: Possible port forwarding failure.
    Trying rule: 5733 - sshd: User entered incorrect password.
    Trying rule: 5734 - sshd: sshd could not load one or more host keys.
    Trying rule: 5735 - sshd: Failed write due to one host disappearing.
    Trying rule: 5736 - sshd: Connection reset or aborted.
    Trying rule: 5750 - sshd: could not negotiate with client.
    Trying rule: 5756 - sshd: subsystem request failed.
    Trying rule: 5707 - sshd: OpenSSH challenge-response exploit.
    Trying rule: 5701 - sshd: Possible attack on the ssh server (or version gathering).
    Trying rule: 5706 - sshd: insecure connection attempt (scan).
    Trying rule: 5713 - sshd: Corrupted bytes on SSHD.
    Trying rule: 5731 - sshd: SSH Scanning.
    Trying rule: 5747 - sshd: bad client public DH value
    Trying rule: 5748 - sshd: corrupted MAC on input
    Trying rule: 5702 - sshd: Reverse lookup error (bad ISP or attack).
    Trying rule: 5710 - sshd: Attempt to login using a non-existent user
    Trying rule: 5716 - sshd: authentication failed.
    Trying rule: 5718 - sshd: Attempt to login using a denied user.
    Trying rule: 5726 - sshd: Unknown PAM module, PAM misconfiguration.
    Trying rule: 5737 - sshd: cannot bind to configured address.
    Trying rule: 5738 - sshd: pam_loginuid could not open loginuid.
    Trying rule: 5704 - sshd: Timeout while logging in.
    Trying rule: 5717 - sshd: configuration error (moduli).
    Trying rule: 5728 - sshd: Authentication services were not able to retrieve user credentials.
    Trying rule: 5730 - sshd: SSHD is not accepting connections.
    Trying rule: 5739 - sshd: configuration error (AuthorizedKeysCommand)
    Trying rule: 5740 - sshd: connection reset by peer
    Trying rule: 5741 - sshd: connection refused
    Trying rule: 5742 - sshd: connection timed out
    Trying rule: 5743 - sshd: no route to host
    Trying rule: 5744 - sshd: port forwarding issue
    Trying rule: 5745 - sshd: transport endpoint is not connected
    Trying rule: 5746 - sshd: get_remote_port failed
    Trying rule: 5749 - sshd: bad packet length
    Trying rule: 5715 - sshd: authentication success.
       *Rule 5715 matched.
       *Trying child rules.
    Trying rule: 40101 - System user successfully logged to the system.
    Trying rule: 40112 - Multiple authentication failures followed by a success.

**Phase 3: Completed filtering (rules).
       Rule id: '5715'
       Level: '3'
       Description: 'sshd: authentication success.'
**Alert to be generated.